2

I am reading about High Availability and I can not understand the following I read: On failover the primary IP migrates to the backup server BUT so must the MAC address.

Specifically I read that every machine has a unique address MAC that can be used by all interfaces in the machine. I don't get this part. Doesn't the MAC belong to the NIC? What is meant by interfaces in this sentence?

Also on failover the clients must update their IP/MAC mapping and found 3 ways for this one of which is by using a custom MAC and move it from primary to backup along with the public IP. How is this possible? Do high availability software e.g. Pacemaker do this? How?

user76678
  • 349
  • 3
  • 5
  • 16
  • Actually I'm loosing track of what you're asking. I'm afraid you don't really have a specific question and thus are missing the format of the Q&A character of SF. – Theuni Dec 09 '12 at 11:13
  • @Theuni:What I don't get (and the core of my OP) is the mention of being able to create a "virtual" MAC and move that arround along with the IP – user76678 Dec 09 '12 at 12:58
  • There is no need to do that. Please read up on the OSI model (http://en.wikipedia.org/wiki/Osi_model) specifically how layers 2 and 3 interact. – Theuni Dec 09 '12 at 13:03

4 Answers4

5

The book is correct, however there are pieces it left out.

  • MAC addresses are not as fixed as you would think, most higher end NICs have the ability to change the MAC address to something specific. Either in the NIC's BIOS or in the driver itself.
  • There are specific ranges of MAC address set aside for 'virtual' systems (see What range of MAC addresses can I safely use for my virtual machines?)
  • Clustering software may use MAC addresses from these set-aside ranges to present the cluster IP services.
  • The linux network stack has the ability to create virtual NICs with specific MAC addresses.

The procedure followed by clustering software to create a service based on a virtual MAC address is pretty straight forward. When the service comes up, it offers a Gratuitous Arp packet saying that the specific IP address can be found on the virtual MAC address. When failover happens, the 'down' node removes its local IP/MAC binding and the new node starts listening to that virtual MAC address and IP combination. No muss no fuss.

The other method used by clustering software is to not bother with virtual MACs at all and rely on Gratuitous ARP the whole way. The startup/failover sequence for such a system would look like:

  1. cluster software binds IP to Node A.
  2. Node A G-ARPs "192.168.244.60 is on 02-00-ab-cd-ef-01"
  3. All devices on the subnet update their ARP tables.
  4. Time passes.
  5. Node A crashes.
  6. Cluster software binds IP to Node B.
  7. Node B G-ARPs "192.168.244.60 is on 02-00-ab-cd-41-ba"
  8. All devices on the subnet update their ARP tables.

In my experience the second method, pure G-ARP, is the one used by most linux clustering these days. However, both methods are valid and have been used. The benefit of the G-ARP method is that you don't have to muck about assigning virtual MAC addresses. The benefit for the pure virtual-MAC method is that it doesn't rely on G-ARP working on a given subnet.

Community
  • 1
sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • This is consistent with what I am reading!I am not sure what a virtual NIC is.Also this is handled by linux facilities?E.g. `Pacemaker`? – user76678 Dec 09 '12 at 16:55
  • @user76678 Yes, look at the [IPaddr2](http://www.linux-ha.org/doc/man-pages/re-ra-IPaddr2.html) resource agent. It allows you to define a MAC address to associate with an IP, the `mac` parameter. – sysadmin1138 Dec 09 '12 at 18:20
1

This sounds like you find pretty bad reading material. Mind posting a reference?

In general: the OSI layer model solves most of those problems and you should almost never have to work on multiple layers at once.

A MAC address may only appear once in an Ethernet segment. On physical machines those are globally unique and never appear twice (not even on multiple NICs on the same machine). With virtual machines you set the MAC by software and have to use some of the private MAC ranges similar to the private IP ranges.

For high availability of IPs it is sufficient to configure an IP on a different host. The operating systems and network infrastructure on layer 2 will take care of updating their MAC/IP mappings automatically.

However, some equipment is stubborn and needs "gratuitous" ARP requests to force them to update their caches.

On Linux I use "ucarp" with additional scripting to automatically configure machines with those "cluster" IP.

Theuni
  • 958
  • 5
  • 15
  • It is from a book.I can tell you the title if this will make a difference – user76678 Dec 09 '12 at 10:29
  • Well ... it might make a good warning for others to avoid. ;) – Theuni Dec 09 '12 at 10:30
  • It is from `Blueprints for High Availability`.But it is not new book.Perhaps this part is dated?Or are you saying it is completely wrong? – user76678 Dec 09 '12 at 10:31
  • But your answer is not in contradiction with my OP. You also mention (as in the book) that it is possible to configure MAC from SW.And one of my questions i.e. if MAC belongs to NIC or computer is not addressed by your answer. – user76678 Dec 09 '12 at 10:32
  • So when the book says for example that MACs starting with `8:0:20` prefix belong to `Sun Microsystem` what does this mean? – user76678 Dec 09 '12 at 10:52
  • It means that Sun Microsystems has an OUI of 8:0:20 (maybe amongst others). Please read up on MAC address basics: http://en.wikipedia.org/wiki/MAC_address – Theuni Dec 09 '12 at 11:01
  • So the discussion is about NICs? – user76678 Dec 09 '12 at 11:03
  • The "MAC from software" is related to virtual machines. A NIC "owns" its MAC address. If you have a virtual machine, then there's a virtual NIC owning a MAC which (by definition) is defined by software. – Theuni Dec 09 '12 at 13:02
1

You might be mixing up two forms of High Availability or Load Balancing.

Linking bonding does (can) assign the same IP address to multiple interfaces on the same host.

For cluster load balancing with HA the machines are all assigned the same IP, with different MACs. One machine will receive all the traffic, but it can forward it to other machines, who can respond directly because they have the same IP. If the master machine fails, a new one is elected, and a gratuitous ARP is done to notify devices that a new machine has the IP.

Anton Cohen
  • 1,142
  • 7
  • 8
  • 1)When you say `to multiple interfaces on the same host` you mean `NICs`?2)Who is responsible for the gratuitous ARP? E.g. pacemaker? – user76678 Dec 09 '12 at 10:59
  • @user76678: Yes, by interfaces I means [NICs](http://en.wikipedia.org/wiki/Network_interface_controller). Yes, Pacemaker sends the ARPs via a [Resource Agent](http://www.linux-ha.org/wiki/Resource_agents) like [IPaddr2](http://linux-ha.org/doc/man-pages/re-ra-IPaddr2.html) – Anton Cohen Dec 09 '12 at 11:17
  • Are there any OS or clients today that do not accept gratuitous ARP? – user76678 Dec 09 '12 at 11:31
  • @user76678 Not that I know of, it would be a pretty broken client. A [gratuitous ARP](http://en.wikipedia.org/wiki/Address_Resolution_Protocol#ARP_announcements) is basically a normal ARP, other hosts see the info in it and update their ARP tables. – Anton Cohen Dec 09 '12 at 11:58
  • Is your answer and @Theuni in contradiction, or is it my understanding that is wrong on this? – user76678 Dec 09 '12 at 12:10
  • @user76678 We are in slight contradiction, he said "A MAC address may only appear once in an Ethernet segment", which is normally true for hosts. I'm saying with certain types on bonding ([link aggregation](http://en.wikipedia.org/wiki/Link_aggregation)) the same MAC may be assigned to multiple interfaces. – Anton Cohen Dec 09 '12 at 12:17
  • What I don't get (in the OP) is the mention of being able to create a "virtual" MAC and move that arround along with the IP – user76678 Dec 09 '12 at 12:57
0

In some HA scenario, on a HA event, only the IP address is taken back by the standby node. In this case, the standby node needs to broadcast an unsolicited ARP packet to update the ARP tables of device on the same Ethernet segment. On reception of an unsolicited ARP packet, a device usually does not directly update its ARP table (it would allow easy hacking of a network) but invalidates its ARP entry on the corresponding IP address. The next time the device needs to talk to the HA service, it will do a ARP request to get the MAC corresponding to the IP address.

In some other HA scenario (as some routers and firewalls), both the MAC and the IP address are taken back by the standby node. This allows the clients on the same Ethernet segment to keep their ARP table intact, but it does not mean that the standby node can save its ARP broadcast (or some other form network traffic). In this case, the ARP broadcast (or other network traffic) is needed to update the switch MAC-to-port table so the traffic does not end on the dead device port.

You can read this for a more (detailed inner working of switches)[How does network sniffing software work over a switch?.

Community
  • 1
jfg956
  • 1,116
  • 1
  • 8
  • 12
  • I understand what you are saying.What I don't get is the mention of being able to create a "virtual" MAC and move that arround along with the IP – user76678 Dec 09 '12 at 12:57
  • If we have 2 nodes: N1 and N2; the active MAC is foo (N1), and the passive MAC is bar (N2). If N1 fails: N2 takes back the foo MAC and forgets the bar MAC. When N1 will come back, it will have the bar MAC. – jfg956 Dec 09 '12 at 19:18